实在是受够了,每个服务器24小时反反复复的被扫密码,开始我还手工处理,后来这是被对方逼着进步啊,实在太多了整不过来,于是整了这么一出。

我自己收集的这600多ip段,估计一大部分是肉鸡。这些都是明明确确扫了我的密码的,懒省事就全设置的/24段,因为大部分都是一个段内好多IP在扫,所以这么省事点,假设有冤枉的,那也是对方自己的安全没做好被人咬下来了,不关我事。屏蔽掉这600多个段以后,目前来说没发现还被扫的情况。

这些ip段都收集于自用的备份数据ftp,而这个ftp除我之外没有任何人有权限,所以凡是试着登进来的都一定是坏孩子,诸如这样:

2020-04-28 23:23:36,123 svr-bak proftpd[14320] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER 67662279.com: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:36,930 svr-bak proftpd[14321] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER [email protected]: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:38,323 svr-bak proftpd[14322] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER 67662279com: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:39,128 svr-bak proftpd[14323] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER .67662279.com: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:39,936 svr-bak proftpd[14324] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER [email protected]: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:41,313 svr-bak proftpd[14325] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER [email protected]: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:42,150 svr-bak proftpd[14326] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER 67662279: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:42,933 svr-bak proftpd[14327] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER 67662279com: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:43,742 svr-bak proftpd[14328] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER [email protected]: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:44,552 svr-bak proftpd[14329] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER [email protected]: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21
2020-04-28 23:23:45,336 svr-bak proftpd[14330] 61.152.xx.xx (58.87.105.221[58.87.105.221]): USER 67662279.com: no such user found from 58.87.105.221 [58.87.105.221] to ::ffff:61.152.xx.xx:21

 

这些都是更新的:

http://api.tingtao.org/fw/fw.php?act=ipsetrestore

这个是ipset的restore格式,另外有几个常用的命令行版本:

windows格式:

http://api.tingtao.org/fw/fw.php?act=windows

FreeBSD的ipfw格式:

http://api.tingtao.org/fw/fw.php?act=ipfw

Linux的ipset+iptables:

http://api.tingtao.org/fw/fw.php?act=ipset

各位方便使用的是第一个,直接拿回去删掉每行前面几个字符就行了。

 

完整的Linux+ipset+iptables用法:

#每次刷新,下面有一句可能会因为重复创建而出错,不用理会:
wget http://api.tingtao.org/fw/fw.php?act=ipsetrestore -O badip.txt
ipset create badip hash:net
ipset flush badip
ipset restore -f badip.txt
rm badip.txt

#系统启动后一次性的:
iptables -A INPUT -m set --match-set badip src -j DROP

 

 

如果要自行收集的话,我的脚本是这样的:

收集IP段:

#列出目前连接21端口的前3位ip,并且不包含自用IP(1.2.3和2.3.4是例子),导出为badip.txt,然后将这个文件内容提交到数据库:
netstat -tn 2>/dev/null | grep :21 | awk '{print $5}' | cut -d: -f1 | gawk '{match($0,"(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){2}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])",a)}{print a[0]}' | uniq | sort | head | grep -v '1.2.3' | grep -v '2.3.4'  > badip.txt
mysql -u数据库用户名 -h数据库ip -p数据库密码 数据库名 --local-infile=1 -e "LOAD DATA LOCAL INFILE 'badip.txt' IGNORE into table ips(ip) "

数据表结构:

SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;

DROP TABLE IF EXISTS `ips`;
CREATE TABLE `ips`  (
  `ip` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
  `ipmask` int(255) DEFAULT 24,
  PRIMARY KEY (`ip`) USING BTREE,
  INDEX `dfg`(`ip`) USING BTREE
) ENGINE = MyISAM CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;

SET FOREIGN_KEY_CHECKS = 1;

注意ip这个字段一定要设置主键,可以避免重复数据,字符集随意了,用啥都可以,反正都是数字。而varchar的长度设置到200是考虑以后可能增加ipv6的情况。

如果你不想用我的库,那用你自己的库导出也是一样的:

mysql -u数据库用户名 -h数据库ip -p数据库密码 数据库名 -N -e "select CONCAT('add badip ',ip,'.0/',ipmask) from ips"  > badip.txt

这一行等价于

wget http://api.tingtao.org/fw/fw.php?act=ipsetrestore -O badip.txt

其他的自己根据需要修改吧,都是很简单的sql字符串操作。

 

之所以放mysql里,是因为用来收集的服务器有好几个,放一个统一存储可以避免重复造轮子。如果你只有一个服务器,那直接放文件里是很省事的。

 

我的库里只有一个段是/16的,因为这个段有超过10个c段在扫,所以一口气干了它,其他都是/24的c段了。

发表评论

电子邮件地址不会被公开。 必填项已用*标注